shopify_app 7.4.0 → 8.5.0

data/lib/generators/shopify_app/install/templates/_flash_messages.html.erb

@@ -1,15 +1,19 @@
 <% content_for :javascript do %>
 <script type="text/javascript">
-  var eventName = typeof(Turbolinks) !== 'undefined' ? 'page:change' : 'DOMContentLoaded';
+  var eventName = typeof(Turbolinks) !== 'undefined' ? 'turbolinks:load' : 'DOMContentLoaded';
 
-  document.addEventListener(eventName, function() {
-    <% if flash[:notice] %>
-      ShopifyApp.flashNotice("<%= j flash[:notice].html_safe %>");
-    <% end %>
+  if (!document.documentElement.hasAttribute("data-turbolinks-preview")) {
+    document.addEventListener(eventName, function flash() {
+      <% if flash[:notice] %>
+        ShopifyApp.flashNotice(<%== flash[:notice].to_json %>);
+      <% end %>
 
-    <% if flash[:error] %>
-      ShopifyApp.flashError("<%= j flash[:error].html_safe %>");
-    <% end %>
-  });
+      <% if flash[:error] %>
+        ShopifyApp.flashError(<%== flash[:error].to_json %>);
+      <% end %>
+                             
+      document.removeEventListener(eventName, flash)
+    });
+  }
 </script>
 <% end %>

data/lib/generators/shopify_app/install/templates/shopify_app.rb

@@ -2,7 +2,10 @@ ShopifyApp.configure do |config|
   config.application_name = "<%= @application_name %>"
   config.api_key = "<%= @api_key %>"
   config.secret = "<%= @secret %>"
-  config.scope = "<%= @scope %>"
+  config.old_secret = "<%= @old_secret %>"
+  config.scope = "<%= @scope %>" # Consult this page for more scope options:
+                                 # https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
   config.embedded_app = <%= embedded_app? %>
   config.after_authenticate_job = false
+  config.session_repository = ShopifyApp::InMemorySessionStore
 end

data/lib/generators/shopify_app/install/templates/shopify_provider.rb

@@ -1,4 +1,19 @@
-  provider :shopify,
-    ShopifyApp.configuration.api_key,
-    ShopifyApp.configuration.secret,
-    scope: ShopifyApp.configuration.scope
+# frozen_string_literal: true
+
+provider :shopify,
+  ShopifyApp.configuration.api_key,
+  ShopifyApp.configuration.secret,
+  scope: ShopifyApp.configuration.scope,
+  setup: lambda { |env|
+    strategy = env['omniauth.strategy']
+
+    shopify_auth_params = strategy.session['shopify.omniauth_params']&.with_indifferent_access
+    shop = if shopify_auth_params.present?
+      "https://#{shopify_auth_params[:shop]}"
+    else
+      ''
+    end
+
+    strategy.options[:client_options][:site] = shop
+    strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
+  }

data/lib/generators/shopify_app/rotate_shopify_token_job/rotate_shopify_token_job_generator.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails/generators/base'
+
+module ShopifyApp
+  module Generators
+    class RotateShopifyTokenJobGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      def add_rotate_shopify_token_job
+        copy_file('rotate_shopify_token_job.rb', "app/jobs/shopify/rotate_shopify_token_job.rb")
+        copy_file('rotate_shopify_token.rake', "lib/tasks/shopify/rotate_shopify_token.rake")
+      end
+    end
+  end
+end

data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token.rake

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+namespace :shopify do
+  desc "Rotate shopify tokens for all active shops"
+  task :rotate_shopify_tokens, [:refresh_token] => :environment do |_t, args|
+    all_active_shops.find_each do |shop|
+      Shopify::RotateShopifyTokenJob.perform_later(
+        shop_domain: shop.shopify_domain,
+        refresh_token: args[:refresh_token]
+      )
+    end
+  end
+
+  # Its implementation will depend on the app configuration. Change accordingly.
+  def all_active_shops
+    Shop.all
+  end
+end

data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token_job.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Shopify
+  class RotateShopifyTokenJob < ActiveJob::Base
+    def perform(params)
+      @shop = Shop.find_by(shopify_domain: params[:shop_domain])
+      return unless @shop
+
+      config = ShopifyApp.configuration
+      uri = URI("https://#{@shop.shopify_domain}/admin/oauth/access_token")
+      post_data = {
+        client_id: config.api_key,
+        client_secret: config.secret,
+        refresh_token: params[:refresh_token],
+        access_token: @shop.shopify_token,
+      }
+
+      @response = Net::HTTP.post_form(uri, post_data)
+      return log_error(response_expcetion_error_message) unless @response.is_a?(Net::HTTPSuccess)
+
+      access_token = JSON.parse(@response.body)['access_token']
+      return log_error(no_access_token_error_message) unless access_token
+
+      @shop.update(shopify_token: access_token)
+    end
+
+    private
+
+    def log_error(message)
+      Rails.logger.error(message)
+    end
+
+    def no_access_token_error_message
+      "RotateShopifyTokenJob response returned no access token for shop: #{@shop.shopify_domain}"
+    end
+
+    def response_exception_error_message
+      "RotateShopifyTokenJob failed for shop: #{@shop.shopify_domain}." \
+        "Response returned status: #{@response.code}. Error message: #{@response.message}. "
+    end
+  end
+end

data/lib/generators/shopify_app/shop_model/shop_model_generator.rb

@@ -12,11 +12,11 @@ module ShopifyApp
       end
 
       def create_shop_migration
-        migration_template "db/migrate/create_shops.erb", "db/migrate/create_shops.rb"
+        migration_template 'db/migrate/create_shops.erb', 'db/migrate/create_shops.rb'
       end
 
-      def create_session_storage_initializer
-        copy_file 'shopify_session_repository.rb', 'config/initializers/shopify_session_repository.rb', force: true
+      def update_shopify_app_initializer
+        gsub_file 'config/initializers/shopify_app.rb', 'ShopifyApp::InMemorySessionStore', 'Shop'
       end
 
       def create_shop_fixtures

data/lib/generators/shopify_app/shop_model/templates/shop.rb

@@ -1,4 +1,3 @@
 class Shop < ActiveRecord::Base
-  include ShopifyApp::Shop
   include ShopifyApp::SessionStorage
 end

data/lib/shopify_app.rb

@@ -10,22 +10,26 @@ require 'shopify_app/configuration'
 # engine
 require 'shopify_app/engine'
 
-# jobs
-require 'shopify_app/webhooks_manager_job'
-require 'shopify_app/scripttags_manager_job'
-
-# helpers and concerns
-require 'shopify_app/shop'
-require 'shopify_app/session_storage'
-require 'shopify_app/sessions_concern'
-require 'shopify_app/localization'
-require 'shopify_app/login_protection'
-require 'shopify_app/webhooks_manager'
-require 'shopify_app/scripttags_manager'
-require 'shopify_app/webhook_verification'
-require 'shopify_app/app_proxy_verification'
+# utils
 require 'shopify_app/utils'
 
-# session repository
-require 'shopify_app/shopify_session_repository'
-require 'shopify_app/in_memory_session_store'
+# controller concerns
+require 'shopify_app/controller_concerns/localization'
+require 'shopify_app/controller_concerns/itp'
+require 'shopify_app/controller_concerns/login_protection'
+require 'shopify_app/controller_concerns/embedded_app'
+require 'shopify_app/controller_concerns/webhook_verification'
+require 'shopify_app/controller_concerns/app_proxy_verification'
+
+# jobs
+require 'shopify_app/jobs/webhooks_manager_job'
+require 'shopify_app/jobs/scripttags_manager_job'
+
+# managers
+require 'shopify_app/managers/webhooks_manager'
+require 'shopify_app/managers/scripttags_manager'
+
+# session
+require 'shopify_app/session/session_storage'
+require 'shopify_app/session/session_repository'
+require 'shopify_app/session/in_memory_session_store'

data/lib/shopify_app/configuration.rb

@@ -7,12 +7,18 @@ module ShopifyApp
     attr_accessor :application_name
     attr_accessor :api_key
     attr_accessor :secret
+    attr_accessor :old_secret
     attr_accessor :scope
     attr_accessor :embedded_app
     alias_method  :embedded_app?, :embedded_app
     attr_accessor :webhooks
     attr_accessor :scripttags
     attr_accessor :after_authenticate_job
+    attr_accessor :session_repository
+
+    # customise urls
+    attr_accessor :root_url
+    attr_accessor :login_url
 
     # customise ActiveJob queue names
     attr_accessor :scripttags_manager_queue_name
@@ -21,24 +27,36 @@ module ShopifyApp
     # configure myshopify domain for local shopify development
     attr_accessor :myshopify_domain
 
+    # allow namespacing webhook jobs
+    attr_accessor :webhook_jobs_namespace
+
     def initialize
+      @root_url = '/'
       @myshopify_domain = 'myshopify.com'
+      @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
+      @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
     end
 
-    def has_webhooks?
-      webhooks.present?
+    def login_url
+      @login_url || File.join(@root_url, 'login')
     end
 
-    def has_scripttags?
-      scripttags.present?
+    def session_repository=(klass)
+      if Rails.configuration.cache_classes
+        ShopifyApp::SessionRepository.storage = klass
+      else
+        ActiveSupport::Reloader.to_prepare do
+          ShopifyApp::SessionRepository.storage = klass
+        end
+      end
     end
 
-    def scripttags_manager_queue_name
-      @scripttags_manager_queue_name ||= Rails.application.config.active_job.queue_name
+    def has_webhooks?
+      webhooks.present?
     end
 
-    def webhooks_manager_queue_name
-      @webhooks_manager_queue_name ||= Rails.application.config.active_job.queue_name
+    def has_scripttags?
+      scripttags.present?
     end
   end
 

data/lib/shopify_app/{app_proxy_verification.rb → controller_concerns/app_proxy_verification.rb}

@@ -8,7 +8,7 @@ module ShopifyApp
     end
 
     def verify_proxy_request
-      return head :unauthorized unless query_string_valid?(request.query_string)
+      return head :forbidden unless query_string_valid?(request.query_string)
     end
 
     private

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -0,0 +1,19 @@
+module ShopifyApp
+  module EmbeddedApp
+    extend ActiveSupport::Concern
+
+    included do
+      if ShopifyApp.configuration.embedded_app?
+        after_action :set_esdk_headers
+        layout 'embedded_app'
+      end
+    end
+
+    private
+
+    def set_esdk_headers
+      response.set_header('P3P', 'CP="Not used"')
+      response.headers.except!('X-Frame-Options')
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/itp.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  # Cookie management helpers required for ITP implementation
+  module Itp
+    private
+
+    def set_test_cookie
+      return unless ShopifyApp.configuration.embedded_app?
+      return unless user_agent_can_partition_cookies
+
+      session['shopify.cookies_persist'] = true
+    end
+
+    def set_top_level_oauth_cookie
+      session['shopify.top_level_oauth'] = true
+    end
+
+    def clear_top_level_oauth_cookie
+      session.delete('shopify.top_level_oauth')
+    end
+
+    def user_agent_is_mobile
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+      user_agent[:name].to_s.match(/Shopify\sMobile/)
+    end
+
+    def user_agent_is_pos
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+      user_agent[:name].to_s.match(/Shopify\sPOS/)
+    end
+
+    def user_agent_can_partition_cookies
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+      is_safari = user_agent[:name].to_s.match(/Safari/)
+
+      return false unless is_safari
+
+      user_agent[:version].to_s.match(/12\.0/)
+    end
+  end
+end

data/lib/shopify_app/{localization.rb → controller_concerns/localization.rb}

@@ -2,6 +2,12 @@ module ShopifyApp
   module Localization
     extend ActiveSupport::Concern
 
+    included do
+      before_action :set_locale
+    end
+
+    private
+
     def set_locale
       if params[:locale]
         session[:locale] = params[:locale]

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+require 'browser_sniffer'
+
+module ShopifyApp
+  module LoginProtection
+    extend ActiveSupport::Concern
+    include ShopifyApp::Itp
+
+    class ShopifyDomainNotFound < StandardError; end
+
+    included do
+      after_action :set_test_cookie
+      rescue_from ActiveResource::UnauthorizedAccess, :with => :close_session
+    end
+
+    def shopify_session
+      return redirect_to_login unless shop_session
+      clear_top_level_oauth_cookie
+
+      begin
+        ShopifyAPI::Base.activate_session(shop_session)
+        yield
+      ensure
+        ShopifyAPI::Base.clear_session
+      end
+    end
+
+    def shop_session
+      return unless session[:shopify]
+      @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+    end
+
+    def login_again_if_different_shop
+      if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.url != params[:shop])
+        clear_shop_session
+        redirect_to_login
+      end
+    end
+
+    protected
+
+    def redirect_to_login
+      if request.xhr?
+        head :unauthorized
+      else
+        if request.get?
+          session[:return_to] = "#{request.path}?#{sanitized_params.to_query}"
+        end
+        redirect_to login_url
+      end
+    end
+
+    def close_session
+      clear_shop_session
+      redirect_to login_url
+    end
+
+    def clear_shop_session
+      session[:shopify] = nil
+      session[:shopify_domain] = nil
+      session[:shopify_user] = nil
+    end
+
+    def login_url(top_level: false)
+      url = ShopifyApp.configuration.login_url
+
+      query_params = login_url_params(top_level: top_level)
+
+      url = "#{url}?#{query_params.to_query}" if query_params.present?
+      url
+    end
+
+    def login_url_params(top_level:)
+      query_params = {}
+      query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
+
+      has_referer_shop_name = referer_sanitized_shop_name.present?
+
+      if has_referer_shop_name
+        query_params[:shop] ||= referer_sanitized_shop_name
+      end
+
+      query_params[:top_level] = true if top_level
+      query_params
+    end
+
+    def fullpage_redirect_to(url)
+      if ShopifyApp.configuration.embedded_app?
+        render 'shopify_app/shared/redirect', layout: false, locals: { url: url, current_shopify_domain: current_shopify_domain }
+      else
+        redirect_to url
+      end
+    end
+
+    def current_shopify_domain
+      shopify_domain = sanitized_shop_name || session[:shopify_domain]
+      return shopify_domain if shopify_domain.present?
+
+      raise ShopifyDomainNotFound
+    end
+
+    def sanitized_shop_name
+      @sanitized_shop_name ||= sanitize_shop_param(params)
+    end
+
+    def referer_sanitized_shop_name
+      return unless request.referer.present?
+
+      @referer_sanitized_shop_name ||= begin
+        referer_uri = URI(request.referer)
+        query_params = Rack::Utils.parse_query(referer_uri.query)
+
+        sanitize_shop_param(query_params.with_indifferent_access)
+      end
+    end
+
+    def sanitize_shop_param(params)
+      return unless params[:shop].present?
+      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    def sanitized_params
+      request.query_parameters.clone.tap do |query_params|
+        if params[:shop].is_a?(String)
+          query_params[:shop] = sanitize_shop_param(params)
+        end
+      end
+    end
+
+    def return_address
+      session.delete(:return_to) || ShopifyApp.configuration.root_url
+    end
+  end
+end